Skip to content

[Rule Tuning] AWS EC2 Full Network Packet Capture Detected #5244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Nov 10, 2025
Merged

[Rule Tuning] AWS EC2 Full Network Packet Capture Detected #5244

Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c3b028b
[Rule Tuning] AWS EC2 Full Network Packet Capture Detected
imays11 Oct 23, 2025
6d22df4
updating mitre technique
imays11 Oct 23, 2025
46ef916
updated Mitre mapping
imays11 Oct 23, 2025
055448f
updating references to include relevant threat blog
imays11 Oct 23, 2025
b7e4706
adding EC2 tag
imays11 Oct 23, 2025
870a6bc
updating EC2 tagging
imays11 Oct 27, 2025
0fcc0b6
Merge branch 'main' into tune_aws_network_rules
imays11 Nov 7, 2025
efd2e7a
Merge branch 'main' into tune_aws_network_rules
imays11 Nov 10, 2025
f2ae010
Merge branch 'main' into tune_aws_network_rules
imays11 Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
139 changes: 104 additions & 35 deletions rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,15 @@
creation_date = "2021/05/05"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/10/23"

[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be
abused to exfiltrate sensitive data from unencrypted internal traffic.
Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source
Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules).
While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate
sensitive, potentially unencrypted, traffic from instances or subnets.
"""
false_positives = [
"""
Expand All @@ -18,9 +19,8 @@ false_positives = [
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Full Network Packet Capture Detected"
Expand All @@ -31,41 +31,73 @@ note = """## Triage and analysis
### Investigating AWS EC2 Full Network Packet Capture Detected
Traffic Mirroring in AWS EC2 allows copying of network traffic for monitoring and analysis, crucial for security and performance insights. However, adversaries can exploit this by capturing unencrypted data, leading to potential data exfiltration. The detection rule identifies successful creation of traffic mirroring components, signaling possible misuse for unauthorized data collection.
### Possible investigation steps
- Review the CloudTrail logs for the specific event actions: CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule, CreateTrafficMirrorSession, and CreateTrafficMirrorTarget to identify the user or role that initiated these actions.
- Check the event.outcome field to confirm the success of the traffic mirroring setup and gather details about the time and source IP address of the request.
- Investigate the associated Elastic Network Interface (ENI) to determine which EC2 instance is involved and assess its role and importance within the network.
- Analyze the network traffic patterns and data flow from the mirrored traffic to identify any signs of data exfiltration or unusual data transfer activities.
- Verify the encryption status of the network traffic being mirrored to assess the risk of sensitive data exposure.
- Cross-reference the involved AWS account and IAM roles with known threat actor profiles or previous security incidents to identify potential insider threats or compromised accounts.
This alert fires on a successful `CreateTrafficMirrorSession`, which enables full-packet Traffic Mirroring from a
source ENI to a mirror target under a given filter. Because sessions immediately begin sending packets once active,
treat unexpected creations as high priority.
#### Possible investigation steps
**Identify the actor and execution context**
- **Principal**: Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and
`aws.cloudtrail.user_identity.access_key_id` to determine who created the session (human IAM user vs. assumed role vs. automation).
- **Caller metadata**: Check `user_agent.original`, and `source.ip` for unusual tools, hosts, or locations.
- **Account/Region/Time**: Validate `cloud.account.id`, `cloud.region`, and `@timestamp` against change windows or tickets.
**Extract the session details from the event**
- **Request parameters**: Parse `aws.cloudtrail.request_parameters` for:
- `NetworkInterfaceId` (mirrored source ENI) map to the EC2 instance and its business function.
- `TrafficMirrorTargetId` identify where packets are being sent (ENI vs. NLB).
- `TrafficMirrorFilterId` check which directions and protocols are allowed (ingress/egress, ports).
- `SessionNumber`, `Description`, `TagSpecifications` look for operator tags or suspicious notes.
- **Response elements**: Use `aws.cloudtrail.response_elements` to confirm the created `TrafficMirrorSessionId` and
any resolved resource ARNs/IDs.
**Pivot for related API calls to validate scope and intent**
Look before and after this event (±30–60 minutes) by the same principal / access key / source IP for:
- **Target & Filter lifecycle**: `CreateTrafficMirrorTarget`, `CreateTrafficMirrorFilter`, `CreateTrafficMirrorFilterRule`,
`ModifyTrafficMirrorSession|Filter|FilterRule`, and `Delete*` calls (rapid create-modify patterns can indicate staging).
- **Session management**: `DeleteTrafficMirrorSession` shortly after creation (test/probe), or repeated creations to different targets.
- **Discovery/positioning**: `DescribeNetworkInterfaces`, `DescribeInstances`, `DescribeVpcs/Subnets/RouteTables` around the same time.
- **Cross-account indicators**: creation of targets that forward to infrastructure not owned by your account (e.g., NLB in shared services).
- **Other suspicious changes**: IAM permission changes, new access keys, or S3/SNS setup that could support exfil/ops.
**Validate the mirror destination and potential data exposure**
- If the target is an ENI: identify the owning instance/application; confirm it is an approved NDR/packet capture host.
- If the target is an NLB target: determine where the NLB sends traffic (could be a collection point in another VPC or account).
- Assess whether mirrored flows include plaintext protocols (internal HTTP, databases, LDAP, etc.) increasing sensitivity.
### False positive analysis
- Routine network monitoring activities may trigger the rule if legitimate traffic mirroring is set up for performance analysis. To manage this, identify and document authorized traffic mirroring configurations and exclude them from alerts.
- Security audits or compliance checks might involve creating traffic mirroring sessions. Coordinate with audit teams to schedule these activities and temporarily suppress alerts during these periods.
- Development and testing environments often use traffic mirroring for debugging purposes. Maintain a list of such environments and apply exceptions to avoid unnecessary alerts.
- Automated infrastructure management tools might create traffic mirroring components as part of their operations. Review and whitelist these tools to prevent false positives.
- Ensure that any third-party services with access to your AWS environment are vetted and their activities are monitored to distinguish between legitimate and suspicious traffic mirroring actions.
- **Authorized monitoring**: Approved NDR/IDS tooling or troubleshooting playbooks may legitimately create sessions.
- **Ops/diagnostics**: Short-lived sessions during incident handling or performance analysis.
- **Automation**: Infrastructure pipelines that stand up temporary mirroring for validation.
### Response and remediation
- Immediately isolate the affected EC2 instance to prevent further data exfiltration. This can be done by removing the instance from any network access or security groups that allow outbound traffic.
- Review and terminate any unauthorized Traffic Mirroring sessions, filters, or targets that were created. Ensure that only legitimate and necessary mirroring configurations are active.
- Conduct a thorough audit of the AWS CloudTrail logs to identify any other suspicious activities or unauthorized access attempts related to Traffic Mirroring or other sensitive operations.
- Rotate and update any credentials or access keys that may have been exposed or compromised during the incident to prevent further unauthorized access.
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation. Escalate to higher management if the data exfiltration involves sensitive or critical data.
- Implement additional network monitoring and intrusion detection measures to enhance visibility and detect similar threats in the future. Consider using AWS GuardDuty or similar services for continuous threat detection.
- Review and update security policies and access controls to ensure that Traffic Mirroring and other sensitive features are only accessible to authorized personnel with a legitimate need.
**1. Contain**
- If unauthorized, terminate the session immediately (use the `TrafficMirrorSessionId` from `aws.cloudtrail.response_elements`)
and block creation permissions for the offending principal.
- Quarantine or restrict egress from the target if you suspect it is forwarding captured traffic outside approved destinations.
**2. Investigate**
- Enumerate all active sessions in the affected account/region; verify there aren’t additional rogue sessions.
- Review related target and filter resources (and recent `Modify*` calls) to understand captured scope and recipients.
- Trace the source ENI back to the EC2 instance and validate whether sensitive workloads were mirrored.
**3. Recover & harden**
- Remove or lock down unapproved targets/filters; enforce least privilege on `ec2:CreateTrafficMirrorSession/Target/Filter`.
- Consider SCPs or IAM conditions limiting who/where sessions can be created (e.g., only into designated monitoring VPCs).
- Ensure monitoring targets are controlled, logged, and not internet-reachable.
## Setup
**4. Improve**
- Add correlation logic to automatically surface CreateTrafficMirrorSession alongside Create/Modify Target/Filter calls by the same actor.
- Require tags on approved mirroring resources; alert on untagged/unticketed creations.
- Update playbooks to include a standard validation checklist (principal, source ENI, target, filter rules, destination path).
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
"""
references = [
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
"https://github.com/easttimor/aws-incident-response",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorSession.html",
"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/",
]
risk_score = 47
rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
Expand All @@ -74,6 +106,7 @@ tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Network Security Monitoring",
"Tactic: Exfiltration",
"Tactic: Collection",
Expand All @@ -83,9 +116,10 @@ timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and
event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and
event.outcome:success
event.dataset: "aws.cloudtrail" and
event.provider: "ec2.amazonaws.com" and
event.action: "CreateTrafficMirrorSession" and
event.outcome: "success"
'''


Expand All @@ -96,6 +130,11 @@ id = "T1020"
name = "Automated Exfiltration"
reference = "https://attack.mitre.org/techniques/T1020/"

[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"


[rule.threat.tactic]
id = "TA0010"
Expand All @@ -113,4 +152,34 @@ reference = "https://attack.mitre.org/techniques/T1074/"
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1040"
name = "Network Sniffing"
reference = "https://attack.mitre.org/techniques/T1040/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"target.entity.id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements",
]

Loading